Index: drm_ioctl.c
===================================================================
RCS file: /cvsroot/src/sys/external/bsd/drm2/dist/drm/drm_ioctl.c,v
retrieving revision 1.10
diff -p -u -r1.10 drm_ioctl.c
--- drm_ioctl.c	28 Aug 2018 03:41:38 -0000	1.10
+++ drm_ioctl.c	14 Sep 2018 04:00:53 -0000
@@ -703,6 +703,7 @@ drm_ioctl(struct file *fp, unsigned long
 {
 	char stackbuf[128];
 	char *buf = stackbuf;
+	void *data0 = data;
 	struct drm_file *const file = fp->f_data;
 	const unsigned int nr = DRM_IOCTL_NR(cmd);
 	int error;
@@ -761,20 +762,24 @@ drm_ioctl(struct file *fp, unsigned long
 		memcpy(buf, data, IOCPARM_LEN(cmd));
 		memset(buf + IOCPARM_LEN(cmd), 0,
 		    IOCPARM_LEN(ioctl->cmd) - IOCPARM_LEN(cmd));
-		data = buf;
+		data0 = buf;
 	}
 
 	if ((drm_core_check_feature(dev, DRIVER_MODESET) && is_driver_ioctl) ||
 	    ISSET(ioctl->flags, DRM_UNLOCKED)) {
 		/* XXX errno Linux->NetBSD */
-		error = -(*ioctl->func)(dev, data, file);
+		error = -(*ioctl->func)(dev, data0, file);
 	} else {
 		mutex_lock(&drm_global_mutex);
 		/* XXX errno Linux->NetBSD */
-		error = -(*ioctl->func)(dev, data, file);
+		error = -(*ioctl->func)(dev, data0, file);
 		mutex_unlock(&drm_global_mutex);
 	}
 
+	/* If we used a temporary buffer, copy it back out.  */
+	if (data != data0)
+		memcpy(data, data0, IOCPARM_LEN(cmd));
+
 	/* If we had to allocate a heap buffer, free it.  */
 	if (buf != stackbuf)
 		kmem_free(buf, IOCPARM_LEN(ioctl->cmd));